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METHOD AND SYSTEM PROTECTING DATA IN STORAGE DEVICE 
AGAINST COMPUTER VIRUSES 
Field of the Invention 

This Invention relates to the computer viruses and 
5 more specifically to protect computer data on storage 
device against computer viruses. 
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Background Art 

A well known computer virus in IBM PC environment 
would be Brain virus, the named derived from volume 
label. The virus infects boot sector of disk or diskette 
and resets volume label as "(C)Brain". The virus has few 
editions some of the virus reside on data area(DA) of 
diskette, which was not used by system, and resets File 
15 Allocation Table(FAT) in disk as 'bad cluster*. FAT is a 
system area in disk or diskette formatted under DOS 
operation system, containing file allocated information 
on disk represented by linked list structure. 

A virus that resides on boot sector of disk or 
20 diskette and takes control when system is booted. The 
virus may stay in memory, which is called Terminate and 
Stay Resident(TSR) program, until power is down. Another 
well known type of virus resides in a binary file . The 
virus is active when a program that virus resides in is 
25 invoked. The virus became active entity and find not 
infected binary file and infects other binary files. 
Virus achieves goal of propagation itself by infection 
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procedure. The infection procedure makes a binary file 

infected program. 

Virus instructions are usually machine instructions of 
target computer but rarely and possibly shell 
5 programCbatch file program) can also contain virus code. 

Virus intrinsically propagate itself and became many 
in number. Virus also to be increased by copying an 
infected software by users. Virus is also increased by a 
person who put virus code into system del i berate! y or 

10 unintentionally. 

A manner of activity while staying memory, on DOS, is 
reported that virus code typically changes interrupt 
vector of INT 21H (decimal is 33) and some other 
interrupt vectors to itselfso that when interrupt 21H is 
occurred virus instructions are executed. Virus can do 
variety of task at this occasion, for example, propagate, 
display a message, destroy, modify data in storage, 
modify data in memory etc. and the virus sends control to 
original interrupt service routine. Any operation seems 
like normal but the RAM resident portion. User might 
believe and the data in disk is safe and correct while 
data has been or will be altered. 

Several kinds of effort have been made to cure against 
threatening of virus. Password, check sum, encryption, 
^canning and elimination and alert techniqu e. Law 
enforcement. 

Well organized access system may help to protect 
system from virus 
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Binary files are altered while it is not necessary, 
and data files are modified by any program( process ) not 
necessarily. Well known personal computer under DOS 
5 doesn't provide level or mode of process. Any process 
potentially can access any resource without restriction 
under DOS while other operating systems do provide access 
rights, for example a well known operating system UNIX. 
Normally process in kernel mode( or monitor mode) has 

10 privilege and can access any resources without 
restriction while process in user mode is restricted to 
its area in accessing resource. If virus has the 
privilege which is kernel mode, it would be dangerous. 
Virus potentially can reach high or the highest level. 

15 Herein, the invention provides a privileged signal which 
ever existed. Virus cannot reach the level of privilege 
named Keyboard Privi lege(KP) . This will task a 
fundamental role of this invention. As a result, this 
invention enables a system that never virus to reside. 

20 Virus can be defeated by not to allow space to reside in 
computer storage system while virus needs a space, which 
is non-volatile storage, to reside. 

Infection is done by four different ways. One is that, 
25 we are concerning, propagation, which is done by virus 
itself and intrinsically character of virus. Virus must 
alter binary files or some of system area where virus can 
reside on. This invention can prohibit alternation to 
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binary files or some of system area. For example, when 
computer virus attempts to alter a binary file that has 
been locked by user, this invention rejects the attempt 
without any interference with other system. 

While binary files that have been locked are protected 
and never be altered, compiler and linker wouldn't work 
properly. This problem is concerned and solved by policy 

of association. 

A sort of virus may reside on boot sector of boot 
sector, which is located the first sector of each 
disk/diskette. This attempt is also rejected. 
. concerning data file, viruses may attack to data files 
or alter some of data. This is also prevented without 
interference. A remedy named association that gives 
authority to specific application programs. In 
conventional system, the access right was opened to any 
process, while it was not necessary. 
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Brief Description of Drawings 

20 Figure 1 depicts conventional system in which disk 

controller connected to disk drive. Figure 2 depicts an 
implementation embedded in disk controller. 1 is this 
invention comprising disk controller. Figure 3 depicts a 
path for privileged signal, which is a jumper line 2 

25 between keyboard connector and this invention 3 embedded 
in a disk controller, peripheral device. 



Brief Descri pt ion of 



Invention 
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This invention consists of Decision making system, 
Gate system. 

Decision system makes decision whether opening the 
gate or not. Gate mechanism controls flow of data to be 
5 written on storage device. 

This invention restricts illegitimate write access to 
resources in storage device including disk drive, floppy 
tape, optical drive, RAM drive. This invention provides 
10 the most effective protection against computer viruses. 
Let user confine accessibility given to conventional 
system. A specific file or a group of files are 
prohibited from alternation even in kernel mode. 

15 Decision making and gate system that embedded in 

conventional system. Decision making system exams all 
write operations wheth er legitimat e or not; since virus 
* can manipulate files on storage device, this probe is 
necessarily required for safety. If a result of probe is 

20 legitimate, this let gate open otherwise let close. 



This invention makes decision according to policy of 
Association and Isolation. The policy of Association 
(referred to Association) confines program's access right 
into a specified group of da ta files. The group is 
25 represented by extension, which is a part/suffix of file 
name and denotes file type. The policy of Isolation 
(referred to Isolation) restricts write access to some 
object( f i les ) , which is in LK state. All the restrictions 



PCT/KR92/000S3 
WO 93/09498 

6 

are devised in the interest of security against computer 
v i ruses . 

Gate embedded in conventional system and rejects a 
write operation proposed when gate control command was 
NOPEN so that the data to be written on storage device is 
not forwarded . and doesn't rejects the proposed write 
operation when gate control command was OPEN. 
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This invention support a special case that compiler or 
linker produce files in state LK( read only mode) to 
prevent p ossible infection from computer viru ses. This 
"invention gives compiler and linker an exception when 
they overwrite on binary files they have produced before. 

De tailed nescrioti '™ of Invention 

This invention consists of policy and mechanism 
carries the policy. 

This invention has equal application to any type of 
computer system that comprises storage device. This 
invention has equal application to any type of storage 
device. For example, the present invention is not limited 
to hard storage device but has appl i cation to optical , 
floppy, tape, RAM drive and other storage device as well. 
This invention can be implemented by a peripheral card or 
software embedded in system kernel. 
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Although this invention should be implemented by 
hardware, it may be also implemented by software. When a 
target computer in which this invention is intended to 
implement comprises the memory protection facility, this 
5 invention can be implemented by software and would be 
effective as much as hardware implementation except some 
cases under special circumstance. For example, this 
invention may not .work accordingly as this invention was 
intended if some of a portion of its software is altered. 
10 This alternation can be possibly occurred by virus or 
some other reasons. An advantage of hardware 

implementation is high reliability and an advantage of 
software implementation is cheap cost of implementation. 

A computer system without memory protection facility 
15 must be chosen hardware implementation for reliability 

When this invention is implemented by hardware, this 
may be embedded in peripheral device, referring Figure 2. 
When this invention is implemented by software, this may 
be embedded in Kernel of Operating System. 

20 

A write operation may be driven by computer virus, if 
the system is under control of virus. This invention 
embedded on conventional system and exams all the write 
operations before they are written. This invention make 
25 riaft ifiion whether approve write operation or not accordin g 
to this invention's policy. 
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There are some fundamental functions used in decision 
making system. GET_CAP( Current! y Active Program) gets the 
current active program in system, GET_CBHF(Currently 
Being Handled File) gets the currently being handled 
5 file, GET_CBHFE(Currently Being Handled File's 
extension), GET.TRANSIT gets a transit and FindCase 
matches the currently active program and the currently 
being handled file with a case. 

Decision making system is depicted clearly and simply 
10 by a pseudo code like C computer programming language. 



return OPEN; 
return NOPEN; 

c=FindCase(I) ; 

if ( C ==I1,I2,I3 or 14) return OPEN; 
if ( C ==I5 or 16) return NOPEN; 

20 

c=FindCase(K) ; 
if (c==K1) 
if (c==K2) 
} /* decision */ 

25 

FindCase(LC) attempts to match currently active 
program(CAP) , which would be compiler or linker, and 



decision( ) 
{ 

if ((FindCase(LC)==LC1 ) 
15 if (FindCase(A)==A2) 



return OPEN; 
return NOPEN; 
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currently being handled file(CBHF) with cases from LC 1 to 
LC3 . 

Case LC1 is defined that CAP (currently active 
program) is found and is associated with CBHF( current 1 y 
5 being handled file) in table ADLC . Case LC2 is defined 
that CAP is found and is not associated with a CBHF in 
table ADLC. Case LC3 is define that CBHF is not found 

in table ADLC. These may be abridged as following: 

Case CAP is Decision 
10 LC1 found associated with CBHF OPEN 

LC2 found not associated with CBHF NOT OPEN 

LC3 not found NOT OPEN 

If case LC1 is watched with CAP and CBHF, decision is 
15 made as OPEN otherwise CAP and CBHF are attempted to 
match with case between A1 and A3. 

Case A1 is defined that currently being handled file's 



extension(CBHFE ) is found and is associat ed with CAP, 
which would be an application program, in table ODT. Case 
20 A2 is defined that CBHFE is found and is not associated 
with CAP in table ODT. Case A3 is defined that CBHFE is 
not found in table ODT. These may be abridged as 
f ol lowi ng : 

Case CBHFE is Decision 

25 A1 found associated with CAP NOT DECIDED 

A2 found not associated CAP NOT OPEN 

A3 not found NOT DECIDED 
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If matched with a case A2, decision is made as NOT 
• OPEN otherwise another attempt is made. FindCase(I) 
attempt to match a case between 11 to 14 with CBHF. 

Case 11 is defined that transit is pi. r3. p4 or p5. 
5 Case 12 is defined that transit is r2 or r6. Case 13 is 
defined that transit is Q 1 . q* or q5. These may be 
abridged as following: 

CaS e Transit Decision 

H P 1,r3,p4,p5 OPEN 

10 12 r2,r6 NOT OPEN 

13 q1.Q4.q5 NOT DECIDED 



If matched 11, 12, 13 or 14, decision is made as OPEN, 
if match 15 or 16, decision is made as NOT OPEN otherwise 
next attempt is made. Finally, there are two case P1 and 
P2 so that matching is finalized though no match was done 
so far. 

Case P1 is defined that privileged signal is issued to 
approve proposal . Case P2 is defined that privileged 
signal is not issued or issued to disapprove. These may 
be abridged as following: 

Case PS Decision 

pt APPROVAL OPEN 

P2 DISAPPROVAL NOT OPEN 
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A proposed write operation is described by EXTid, 
PGid, Ofi that represent current situation. Ofi is 
represent a file is in storage device, is used as a 
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identification to files. PGid is an identification to 
programs, in a storage device. LCid is an identification 
to linker and compiler, used to identify compiler or 
linker from other linkers or compilers. EXTid is a 
5 identification to extensions of a file name. A file in a 
storage device may be referred by Of i , PGid, EXTid and 
LCid. 



After decision making process is ended, a command is 
10 passed to gate system. The command will be either OPEN or 
NOPEN. The command OPEN means gate let requested data 
forward storage and the command NOPEN means that gate 
doesn't let requested data forward storage but resumed. 
NOCOMMA'ND is used to indicate initialized state. 
15 Gate Control Commands 
-NOCOMMAND 
-OPEN 

-NOPEN (do not open gate( reject) and resume ) 
-N0PEN2 (reject and generate error) 

20 

There are four of states object(file) can be. State UK 
in which object is accessed to write. State LK in which 
object is accessed only to read, write access is 
forbidden. State AL in which object is alerted. State WA 
25 in which object is being altered. 

Isolation prohibits write access to locked object, 
which is in LK state. Conventional system doesn't provide 
strict and proper restriction to those that are in state 
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LK while this invention distinguishes them and restricts 
write operations to locked object. 

Isolation isolates binary files that you want from 
alternation. Object in AL, LK states should be isolated, 
5 and LK shouldn't be altered. More specifically, 
PS(privileged signal) enables files in state LK, AL to be 
state UK. 

More specifically, object can have state WA, UK, LK 
and AL. According to policy of isolation locked object 

10 can't be altered. If data was destined to write on locked 
object, this operation is ignored and result of record is 
remained in 9134-.log. If data was destined to write on 
alert object, this operation caused confirmation/asking 
message window will be opened. If data is destined to 

15 write on unlocked object, this operation is granted, 
isolation shouldn't interfere with conventional system. 
The policy should not be violated. 

A mechanism of association is designed to find out 
20 relationship between program(data file handler) and data 
file. A table named ODT contains all relationship between 
them. 

EXTid field Program field 

EXTid PGid... 
25 User can change these descriptions by editing ODT. DSC. 

A group of data files are specified in the table and its 
handlers are specified right-hand side of table while 
data files are specified left-hand side. This table is 
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referred by decision making system A specified group of 
data files are only allowed for write access by the 
specified handlers. Additionally this table may contain 
linker and compiler on the program field when EXTid is 
255. 

A mechanism of isolation is design to exam write 
operations. This refers BMT to know a state of object and 
reports 'illegal operation' when a write access was made 
to object in LK state. The table contains all the state 
of each object and maintained accordingly changes. 
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Unlocking and disabling alert operations require 
privileged signal to cope the demands otherwise the 
demands won't be able to cope. 
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Demands 
DU 
DS 
DD 
DC 
DR 
Dds 
Den 
Dupg 
Ddt 
Dbt 



Meaning 
Demand of unlocking 
Demand of suspending alert 
Demand of disabling alert 
Demand of Configuration Setting 
Demand of Reallocation 
Demand of Disable 
Demand of Enable 
Demand of Upgrade 
Demand of upgrade table 
Demand of boot sector 



Any illegal operation found by Decision Making System 
doesn't reported immediately but recorded into a file 
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9134.L0G reserved in a mass storage device with some 
related information. This illegal operation causes system 
not to be affected and system will be able to resume next 
task. 

5 

To recognize virus and legitimate commands are not 
easy task. A privileged signal may be used to approve or 
authorize an operation or command as means of reliably 
distinguish virus and user. For example, if a signal, 
10 privileged and virus can't issue or alter, is used when 
an important operation is proposed or requested. Computer 
system will not be confused. 

Isolation's policy definitely requires privileged 
signal (PS) when unlocking, disabling and alert. 
15 Fortunately unlocking locked file would be a rare 
operation. User may user this command when remove a 
program that had been locked in their hard drives or 
floppy disk drives. Unlocking operation is not special 
command in system because the operation is exactly same 
20 effect with read only attribute set or 

chmode u-w or 
chmode g-w or 
chmode o-w or 
chmode a-w 
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To implement issuing Keyboard privilege require simple 
hardware circuit than software because if software can 
issue PS, it means that virus also can. The issuing PS 
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caused user shouldn't be bothered. This invention 

provide a privilege that derive from physical action not 
from process. 

A keyboard signal is used as privileged signal in an 
5 embodiment of present invention. Keyboard is connected 
with an 10 port on system. CPU gets a word or byte from 
the 10 port as means of read keyboard scan code. This 
invention gets a signal directly from the 10 port as 
means of fetching privileged signal. Alternatively, this 

10 invention gets signal directly from the keyboard 
connector by a jumper line between this invention and 
keyboard connector. 

The keyboard privilege can not be violated by any 
process like virus because it is issued by pressing 

15 keyboard or specially designed to issue approval. The 
privileged signal may be simulated or imitated by no 
other process or executable code or instruction. Since 
signal is only derived from by the keystroke, no other 
generate the signal. It may be generated by a bug on 

20 keyboard circuit. This invention assume that system have 
no such a bug and computer circuit was designed that 
keyboard scan code is delivered to IO port and no other 
process can generate the signal except keyboard. 

So far any resource can be control by a process but 

25 this invention provide a level of privilege that virus 
can ' t reach . 
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When this invention is embodied, some matters should 
be satisfied in the interest of reliability. Write probe 
mechanism exams a block of data requested to write in 
Decision making system. The write probe mechanism should 
5 be placed before proceeding write operation and before 

gate mechanism. 

Gate mechanism must place before writing on storage 

devi ce 

Gate mechanism is recommended to nearest to the 
10 storage device. Gate and write probe mechanisms may be 
placed together and gate shouldn't be malfunctioned or 
by-passed. It means that after gate mechanism, no 
interference is allowed. An embodiment in which the gate 
is a hardware, which is embedded in storage device as 
15 part of the storage, so that no process and executable 
code can effect operation of the gate and placed the 
adjacent to hard drive; connected to directly as hard 
disk interface or hard drive controller- would be ideal. 
All these arrangement are made to get rid of possibility 
20 of illegal alternation to data after gate system. 

Compiler and linker should be able to produce binary 
files and overwrite them. To overwrite binary files are 
usual transaction but this should be able to do. Compiler 
25 and linker support mode provide a special function that 
any binary files(BFA) produced by a compiler or linker 
can be overwritten by the compiler or linker, no matter 
BFA is locked or not. 
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Concerning compiler or linker is needed in this 
because compiler or linker may produce files in LK. In 
this invention compiler and linker can produce files 
without any restriction while other program can not. When 
5 compiler and linker produce files BFA(Binary Files to be 
Altered), this invention adds items into table ADLC . When 
compiler and linker produce another file that doesn't 
exist also to be added into ADLC table. It -is like 
fol lowing: 

10 Linker or Compiler field BFA field 

LCid Ofi ... 

This invention probes accessibility of writing, before 
compiler and linker produce/overwrite files. If access 
was legalized, the operation is done, otherwise the 
operation is denied. When compiler or linker produced 
files that do not exist currently in system or exist and 
in UK state, this operation is done and item is added in 
table ADLC if the file is not existed in the table. 

This has a facility to reallocate files in storage 
device. This is performed to increase access efficiency, 
is not possible. 

Descriptors exist in storage device. ODF.DSC UPGRD.DSC 
and EL. DSC are those files. These files contains 
information on association between object ( fi 1 es ) and 
program. EL. DSC contains extentions is optionally used. 
ODF.DSC is edited by user. EL. DSC can be edited by user. 
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Both of files are not to be removed and in AL state. If 
the files were damaged or removed caused by any accident, 
they are recovered by system. Any alternation, remove or 
append an item, causes system opens and reads the files. 
5 These files are edited by editor DSCED . UPGRD.DSC is 
given by dealer, containing new information. This is used 
when system upgrade. 

An Embodiment of Present Invention 1 

This emulate this invention. This is designed to work 
under DOS environment without any hardware support so 
that it doesn't have reliable protection and can't 
demonstrate all the feature of this invention, 
primary Modules and Mechanism 
Decision 
Maintenance 
Gate 

Diagnosis 

Privileged Signal Handler 
Memory 
IO 

Debug 

An Embodiment of Present Invention 2 

An Embodiment of Present Invention is a hard drive 
interface card, which is connected to directly hard 
drive. No process or executable code can interfere, so 
that the highest privileged mechanism is realized. 
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All the mechanisms of gate and decision making system 
are comprised within the card. 

An Embodiment of Present Invention 3 
5 This is embedded in a system kernel. The mechanism 

doesn't have the highest privilege as this invention 
should have but this was is cheap way to implement. 
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CLAIMS 

1. A method protecting resource in storage device 
against computer viruses comprising: 

initial izing; 

5 determining whether proposed write operation is 

legitimate or illegitimate based on a currently active 
linker program, compiler program, a currently active 
application program, a currently being handled file, 
associated information or mode of a current being handled 
10 file; 

rejecting said proposed write operation if said 
proposed write operation is not legitimate; 

forwarding said proposed write operation to 
storage device if said proposed write operation is 

15 legitimate; 

reallocating contents of files in order to 
optimize access time to storage device; 

attempting to recover faults occurred in 
conventional system; 
20 diagnosing integrity of system; 

disabling determining. 

2. The method of claim 1 wherein said tables are 
built by a initializing program; 

said tables comprising ADLC, ODT, BMT and EL. 

3. The method of claim 1 wherein the method of 
determining comprises the steps of: 

probing said proposed write operation whether said 
currently active linker or compiler program is found and 
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associated with said currently being handled file in said 

tables or not ; 

determining legitimate if said active linker or 
compiler program was associated with said being handled 

5 file; otherwise 

probing said proposed write operation whether said 
currently being handled file by said currently active 
application program is found( specif ied ) and is not 
associated with said currently active application program 
10 in said tables or not in said tables; 

determining illegitimate if said being handled 
file is found and is not associated with said currently 
active application program; otherwise 

probing s%ud proposed write operation whether said 
15 proposed operation is unlocking operation, an operation 
to file in read-write mode or an operation to file in 
read-only mode in said tables; 

determining legitimate if said proposed write 
operation was unlocking or an operation to file in read- 
20 write mode or illegitimate and recording the decision 
with current time and date in a log file if said proposed 
write operation was an operation to file in read-only 
mode; otherwise 

fetching privileged signal from keyboard and 

25 decoding; 

determining legitimate if said privileged signal 
approved or illegitimate if disapproved. 
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4. The steps of claim 3 wherein said file in read- 
only mode comprising: 

contents of said file and allocation information 

of said file in storage device. 
5 5. The method of claim 3 wherein said being 

handled file by said current program is represented by 
extension of said being handled file. 

6. A method for fetching privileged signal 

comprising: 

10 a jumper line between keyboard 10 port and a 

decoder decoding keyboard signals; 

decoding said keyboard signals. 

7. Another method for fetching privilege signal 
comprising: 

, 15 fetching signal from keyboard IO port 

8. The method of claim 6 is only used when this 
invention is embedded in a peripheral device. 

9. The method of claim 7 is only used when this 
invention is embedded in main system. 

20 to. The method of claim 7 wherein said privileged 

signal is invalid when said privilege signal is imitated 
by any other executable codes or program 

11. The method of claim 7 wherein said privileged 
signal is valid if said privileged signal was only 

25 generated by a switch or keyboard stroke. 

12. A system for protecting resource in storage 
device against computer viruses comprising: 

means for initializing; 
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means for determining whether proposed write 
operation is legitimate or illegitimate based on 
currently active linker program, compiler program, 
application program, being handled file or mode of a 
5 current being handled file; 

means for rejecting said write operation if said 
write operation is not legitimate; 

means for forwarding said write operation to 

O 

storage device if said write operation is legitimate; 
10 means for reallocating contents of files in order 

to optimize access time to storage device; 

means for attempting to recover faults occurred in 
conventional system; 

means for diagnosing integrity of system; 
-j 5 means for disabling determining. 

13. The system of claim 12 is embedded in 
peripheral device and a micro processor is used to 
execute program, ROM is used to contain said program and 
RAM is used to store symbols used by said program. 
20 14. The system of claim 12 is alternatively 

embedded in main system. 

15. The system of claim 12 is alternatively 
implemented as a system software and embedded in 
operating system. 
25 16. A method for protecting resource in storage 

device against computer viruses as hereinbefore described 
with reference to drawings. 



PCT/KR92/00053 
WO 93/09498 

24 

17. A system for protecting resource in storage 
device against computer viruses substantially as 
hereinbefore described with reference to the drawings. 
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